Don't Fall For Misleading Story Being Spread By NSA Suggesting Tech Companies Lied About PRISM

from the bogus dept

Update: With little fanfare, the Guardian has now added a note (at the bottom) saying that it has adjusted the story because of the initial misleading claims:

This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders.

I wonder how many people who have been repeating the initial misleading claims will go back and see that change? Original story below:

I'm seeing a bunch of folks passing around a story by Spencer Ackerman at The Guardian, claiming that tech companies lied about their "denials" of PRISM. The story is incredibly misleading. Ackerman is one of the best reporters out there on the intelligence community, and I can't recall ever seeing a story that I think he got wrong, but this is one. But the storyline is so juicy, lots of folks, including the usual suspects are quick to pile on without bothering to actually look at the details, insisting that this is somehow evidence of the tech companies lying.

So, let's look at what actually happened. The report is based on statements by Rajesh De, the NSA general counsel, who was testifying before the US's Privacy and Civil Liberties Oversight Board (PCLOB). Here's the part that's catching everyone's attention:

Asked during at a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”

When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook, Paltalk, AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.

Everything stated above is technically true, but misleading. The problem is that what the companies denied is not what De is talking about. What they denied is what both the Washington Post and the Guardian initially implied: that the NSA had "direct access" to the servers of the nine companies named under PRISM, with the clear implication of the stories being that direct access was to basically all servers. All of the companies denied that level of access (which was and remains true). They also (as Ackerman does mention) denied knowing what PRISM was. Within a day or so, it became quite clear that "PRISM" was merely orders under Section 702 of the FISA Amendments Act -- which is what eventually lead a bunch of those same companies to sue the government, saying they wanted to reveal the details of the Section 702 orders that they got, including how many orders they received and how many user accounts were impacted by those orders. The very reason they filed that lawsuit was in an attempt to prove that PRISM/Section 702 orders were never about full access to everything, but rather more targeted requests approved of by the FISA court (it's fair to point out that the NSA's definition of "targeted" is more broad than you and I would like, but that's a separate issue).

In January, that lawsuit was settled, with the DOJ giving companies (for the first time) the ability to reveal (in quite a limited way) how many FISA orders they received and how many "customer selectors targeted." And, in fact, a bunch of companies have done so. Here, for example, we wrote about Yahoo and Google's reporting of those requests. For example, from January to June of 2013, Google received between 0 and 999 FISA orders, including 9000-9999 user accounts targeted. During the same period, Yahoo received between 0 and 999 such orders, targeting between 30,000 and 30,999 accounts. Much of that is PRISM -- and no one has ever denied that. It's unfortunately obfuscated, because the "FISA orders" lump together the Section 702 "PRISM" orders with separate Section 107 orders, and (worse) because the companies can't really reveal users impacted, just customer selectors targeted. That obfuscation is a big problem, but is entirely unrelated from the original reporting on PRISM and the companies' response.

So, yes, of course companies were aware of the Section 702 orders they get. That's the only possible way they can comply with Section 702 orders. And, certainly, the only way they could report on how many such orders they got. What they denied was the original reporting which suggested, incorrectly, that PRISM was a much broader program, that involved direct access to these companies systems, allowing them to suck out just about anything. That was never true, and that was what they were denying. The lawsuit and the transparency reports were all about (attempting to) clear up that confusion, showing that these companies simply comply with Section 702 orders, rather than grant broad access to all accounts, as the original reports implied. And, in fact, the release of those transparency reports provided at least a little transparency (tragically muddied by the DOJ's requirements). There are separate issues about other ways that the NSA got access to these companies information, such as hacking into datacenters connections, but that's unrelated to PRISM.

Ackerman has been following all of this, so I'm both confused and surprised for why he'd fall for De's attempt to suggest that the companies were lying. Even more bizarre is his claim that De's comments were "contradicting the tech companies about the firms' knowledge of Prism." But that's not true. De is saying the companies knew about Section 702 orders, which of course they did. Otherwise, why would they have been fighting to reveal the details -- and why else would they have posted the details to their transparency reports? I find it hard to believe that Ackerman doesn't know about the very transparency reports from the companies that show that the companies were (of course) aware of the Section 702 orders he says in the article they denied. They never denied such orders.

If anything, this feels a lot more like the NSA (as the NSA does) using careful language choices to attack-by-false-implication the tech companies who have recently been fighting hard to encrypt more data to make it harder for the NSA to crack into their systems (not under PRISM, but under Executive Order 12333). In the end, De's claim is a non-story, turned into a misleading story.

Reader Comments

Nice move, NSA further isolating US tech companies to ensure that anyone who does business with them with views them with further suspicion, thus undercutting their own ability to spy on them. I don't think they care about collateral damage or targeted surveillance. Just lashing out and claiming everyone was involved would hardly win them any points.

Re:

And, I'm so sick of this whole theater, that I would pay money to have a secure chat, email and voice client. As long as the service can establish (through open source code) that the whole end-to-end communication is encrypted and nothing is stored. Apparently, having a private conversation with another human on this planet is too much to ask without a jerk looking at your video chat, facebook accounts, phone numbers, and mining your content.

Re: Re:

Don't need to pay. There are rather good (arguably better than commercial -- what commercial product is opensource and trustworthy? Do you compile your own source if a company offers an executable (does the company offer a NON-executable source tarball? Do you know if they compile to the same thing?).

1) General: Get Tails (which is opensource). It's user-friendly to the beginner, and simple to set up either as a liveboot or with virtualbox which is opensource (there are plenty of guides to setting this up for the beginner available via google -- it's usually just a few steps). It has built in capabilities for claws-mail (see below) for email with gpg and pidgin with otr (again, see below) for chat along with other things.2) Email: K9 Mail on your mobile device with its gpg plugin and Claws Mail with gpg plugin for your PC. Make sure to use gpg and enable it in your options. No encryption will work if your recipient does not also use GPG (at least not effectively).3) Chat: Adium with the OTR plugin on OSX, Pidgin with the OTR plugin on Windows or Linux. For mobile (if you're on android), you can use ChatSecure (previously known as GibberBot) which incorporates otr encryption and other privacy scrubbing mechanisms.4) If you're on Android, get Orbot and use that to run ChatSecure (as above) via Tor (Tails uses TOR for everything; Tails and TOR both have plentiful documentation out there).5) For web browsing with Orbot/Tor get Orweb -- and try to use SSL pages. This is imperfect but with Tor you have some small extra measure of theoretical privacy.6) Voice: There's an experimental voice plugin for ChatSecure. Look into Jitsi. You might want to consider redphone if it's still supported but I consider its use of phone-connected-to-account a bit suspect.7) SMS: TextSecure is awesome.

Re:

That's the first thing that struck me. This is further undermining the US commercial relations around the world. At this point the NSA is actively harming the US economy. How the heck is this justifiable?

Here we go with the parsing game again. Define "company". Company legal staff, company officers, company sales & marketing, company finance, company PR possibly didn't know about collection *not* under the law, or didn't know what they knew, or didn't know what they didn't know. Embedded moles and infiltration at senior levels. There are spies in all strategically important companies, not those that the CEOs know about - those that they don't do the real dirty work.

Guardian Update

Ackerman's article now contains the following update:

This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders. Other minor clarifications were also made.